What are refresh token, access tokens and Grant type?

Asked

Viewed 4,482 times

12

I was researching security in REST Apis and found the terms refresh tokens, access tokens and Grant type referring to how tokens work and how the customer requests the features

What they are and what their differences are?

security-guard token

2 answers

9


Access Tokens - It is a type of credential that you can use to give permission external systems interact with your application. As you well mentioned for example, your set of Rest Apis could only be consumed through an identifier that you even offer for your partner systems. This ID is the Access Token. An example practical of this, is when you need to consume some Google API/Facebbok.

Refresh Tokens - Occasionally, you may want to check the ID from time to time (Access Token) that system that is consuming its API has. It can be by reasons for security, monetization of your API or even the frequency of use of the api. It works as follows: You give your partners 2 keys: 1) The Access Token (with short lifespan) and 2) The Refresh Token (Used to catch a new Access Token). That way, when your partner requests your application, it sends these 2 keys and your system checks if the Access Token is expired. If so, you generate a new Access Token using the Refresh Token the partner sent you.

Grant Types - When you hear that term, it refers to the ways a system external has to get access to an Access Token for consumption of your API. May be them:

  1. Authorization code
  2. Implicit
  3. Resource Owner credentials
  4. Client credentials
  5. Refresh token

All these concepts of your question are part of the Oauth 2.0 specification and you can get more details here (Oauth 2.0 Docs) and here (Oauth 2.0 Workflow Video).

  • Show, Then in the case what always changes from time to time is the access_token. In case to save the data in the database, I need to save the refresh_token which is the access key to get a new access_token. And the access_token need to be saved in the BD? Or I can just use refresh_token with the code to request a new access_token and get it to access the information?

3

Access tokens are credentials used to access protected resources.

Refresh tokens are credentials used to get a new token access.

Grant type is used when the client wants to receive access token without transmitting important information such as the secret client.

Access tokens and Refresh tokens

Grant type

Browser other questions tagged security-guard token

You are not signed in. Login or sign up in order to post.